Back Orifice 2000

When viewing my "McAfee Log Viewer" for "Inbound Events" I get "Unsolicited Connections" all the time and under the "Event Information"
heading it tells me what port was just accessed. And when I use the "Trace this IP" option it usually traces it to China or Australia and, of
course, I have the option to ban it. I also get "Unsolicited Connections" from my ISP.

But, once in a while I get one from an IP that matches my ISP, but under the "Event Information" heading it says something obscene like (in this
case) "Back Orifice 2000".

UDP port 54320 is commonly used by the "Back Orifice 2000" service or program. The source computer has scanned your computer for this trojan, but it
has been blocked by your firewall."

QUESTIONS:
(1) In laymen's terms, what exactly does this mean, and should I be worried about someone accessing my computer?

(2) a) I also get hits for ports 18728 (like one every 15 seconds) and port 4466 (everytime I connect to the internet). What are these ports used for
and how can I close them?
b) Have these connections already been blocked and my Log Viewer is merely noting that an attempt was made?

(3) I've also traced a group of IP's (all have the same set of numbers in them, with the exception of the last 2 or 3 digits) to a location the same
distance away from CIA HQ in Virginia, and the Pentagon. To which I always scratch my head and wonder, WTF!?

Someone is just doing a port scan on you. Takes a bit to explain in laymen terms though.

First you have to know what a server is. Most of the time when someone says server they mean big computer. For a port scan though they mean the actual
software that's running on the big computer.

What the software does is it opens a port and listens for requests from other computers. When it gets one it sends those computers the data they
request. That's it.

Why ports? Well if you're poor folk like me you might only have one actual physical server. However, you can still run multiple virtual servers on
the same computer. You may run a web server and a email server on the same box or whatever servers you want.

Both would have the same IP address so you have to tell the server which port. Either the mail server or the web server. Most web servers run on port
80 so you don't usually have to type the port in when web browsing BTW. If you ever see something like :8080 in a url it means they're running on a
diff port than usual. Typically because the normal one isn't currently working on their system for some reason.

So that's what a port is. They're not real. They don't actually exist. It's just a number you tag on to the request you send the server so it
knows exactly which program you're trying to talk to because that comp may be running more than one virtual server.

There's two types of ports. TCP and UDP ports and they can be numbered from 0 to 65,535. Which type and which port are all used for different types
of data and servers.

What the hacker is doing is sending requests to each one of your ports to see if any of them are open. If anything is listening on the other side they
might be able to trick that software into doing something it's not supposed to. Like deleting all your files or something because there's a bug in
the server code that the hacker knows about.

Okay so, here's the real deal though. You're on a desktop PC. Not a server. That means you're not running any servers (typically) because you
don't have any data you want to serve to anybody. You're just connecting to other people's servers like ATS's or Googles.

So it's really really hard to break in through a port when nothing is listening. No matter what request they send it just gets dropped and disappears
into the ether. So they can't hack you right?

So, here's what they do. They create viruses like this Back Orifice thing. What it does is opens up a port and starts listening for the commands from
the hacker and does whatever the hacker tells it to.

That way, once you're infected the hacker can dial into your system and take control anytime he wants because he's got something there listening for
his instructions now.

What your firewall is telling you is that you're not infected by the virus and the port isn't open and is successfully being blocked, but somebody
is trying to look and see if it's running on your system.

Probably what's going on is some hacker is just plain bored and has written an automated script that goes around the net probing the net for random
IP addresses that are infected with this Back Orifice thing and if it finds one, it'll take control of that computer somehow. What your firewall is
telling you though is that you're protected from the jerk and it has given him the boot.

EDIT: Oh and if you wanna put another firewall wall or nat like the one built into most routers in between you and the wall you can block them there
before they get to your comp, but if you're wireless you're just gonna get weird stuff coming at you sometimes cause hackers are retarded and
bored.

EDIT AGAIN: Oh I guess Back Orifice actually does have some real legitimate uses for when you need to control a computer that you're far away from
but the hacker probably doesn't want to do anything legitimate with it.

This content community relies on user-generated content from our member contributors. The opinions of our members are not those of site ownership who maintains strict editorial agnosticism and simply provides a collaborative venue for free expression.